The correct certificate is deployed and was working in previous IOS versions.

It turns out that IOS 12.x does not like the fix from KD 2015-06-04:

backend/imap/imap.php:
case SYNC_BODYPREFERENCE_MIME:
if ($is_smime) {
if ($is_encrypted) {
// #190, KD 2015-06-04 - If message body is encrypted only send the headers, as data should only be in the attachment
// IOS 12.x now doesn't like to get just the headers:
// $data = $mail_headers;
$data = $mail;
}
else {
$data = $mail;

returning $mail instead of $mail_headers for encrypted mime fixes message reading again on all our IOS devices, however that patch is sloppy. I think should add version check to either return $mail or $mail_headers. Also not sure at what IOS version exactly needs that change.